Our Browser Based Authentication (BBAuth) is a generic mechanism that will allow users to grant 3rd party web-based applications access their Yahoo! data. There's already a similar mechanism in place on Flickr and used by services like MOO. BBAuth is the protocol that's going to open the door to doing the same thing for many Yahoo! branded services in the coming months. Stay tuned for those announcements. :-)

Beyond that, BBAuth also makes it possible to use Yahoo! as a single sign-on for your site, thus removing a barrier to entry for a whole lot of people (over 200 million to be exact). This is still fairly experimental, so we'd love to get your feedback and input on how to make it even more useful.

The first two Yahoo! services supporting BBAuth are Yahoo! Photos (API) and Yahoo! Mail (API only available to Hack Day attendees at the moment).

This was a long time in the making, so it's quite a relief to get it out the door. Special thanks to the folks in Photos and Mail for getting support enabled in time for Hack Day.

What can I as an application developer do using the authentication API?

This doesn't seem to be answered on the site you linked to, at least not clearly.

Can I store arbitrary key=>value pairs? More than that? What Yahoo data can I ask the user to grant me?

I could not find any of these nitty gritty details, which basically constitute why I would want to use the service. The FAQ outlined the limits of the service before it really told me what the service was (that's like the first FAQ question, but the answer is vague marketing stuff).

This seems exciting. Dave Winer seems to think so. Just confused on what exactly this enables.

I have been wanting to talk about Yahoo and their aggressive pursuit of Google in the Internet space for awhile. The biggest manifestation of this has been their courting of developers to leverage their ecosystem. But this is big - this IMHO puts them abreast if not ahead of Google right now.

While I think this is great for Web 2.0 developers to get access to Yahoo services, it would have been *so* much better if it would have been a user-centric model. Hopefully this is a first step in Y! adopting a user-centric model in the future. I wrote a little about it at:

I'm keen to ensure that no part of the information I trust Yahoo with is leaked to other sites, including the existence or otherwise of a Yahoo account. As a user, how can I ensure that the requests are always automatically rejected without giving the calling site a clue about whether I do or do not have a Yahoo ID?

Congratulations on the launch, though! It's an area where the technical me and end user me have different views.

Like Ryan I am a little confused about the wider benefits of BBauth. My initial take is that it encourages people to register with Yahoo so they can access a third party sites which require registration and use BBauth. However, presumably the operators of third party sites can't access any information about their users who come in via Yahoo.

From a user perspective this may be attractive, but it doesn't seem very attractive to the third party site operator.

As a third party site we find it very attractive and are working on integration now. With the user hash it's a starting point for a relationship with the member, that can provide a key into the side door for you to start customizing the experience for the visitor.

It's step number one from a visitor who you'll probably never see again to someone who had a good, fast authentication experience that worked with something they already have.

Growing from a small to big site you face a lot of hurdles - people show up, like what you have to say but grimace about another username and password. Then they see that their handy dandy yahoo! login gets them quick access to comment or start getting involved. After that initial step you can then work on expanding the proposition to the user and convert them to deeper membership levels.

It's like meeting a girl at a bar - you didn't get her phone number but she got yours. It's at least the start of what could become a relationship, not a fleeting read and leave.

It would have been excellent if out of the gate you had implimented OpenID API. I look forward to being able to really get excited about BBAuth.

on October 1, 2006 05:29 PM

Disclaimer: The opinions expressed here are mine and
mine alone. My current, past, or previous employers are not responsible for what I
write here, the comments left by others, or the photos I may share. If
you have questions, please contact
me. Also, I am not a journalist or reporter. Don't "pitch" me.

Privacy: I do not share or publish the email addresses
or IP addresses of anyone posting a comment here without consent.
However, I do reserve the right to remove comments that are spammy,
off-topic, or otherwise unsuitable based on my comment
policy. In a few cases, I may leave spammy comments but remove any
URLs they contain.